Penetration TestJan Kahmen8 min read

DOM Invader - The New Feature of Burp Suite

Burp Suite quickly and easily detects the XSS issue in DOM-based Cross Site Scripting executed directly in the browser.

Table of content

How to Enable DOM Invader in Burp Suite

Burp Suite's DOM Invader helps you find DOM-based vulnerabilities quickly and specifically. Once you have enabled the Invader: Burp Suite quickly and easily detects the XSS issue in DOM-based Cross Site Scripting executed directly in the browser. The activation itself is simple:

  • Step 1: Open Burp Suite in the Chromium browser.
  • Step 2: Open Burp's embedded browser. This is located on the Proxy tab. If the extension is not pinned by default, click on the plug icon to pin it.
  • Step 3: Next, enable the Invader under the extension settings.

Burp Suite can thus be put directly into operation with just a few steps and clicks. This makes the tool ideally suited for regular use in everyday life. It can thus also be useful for more extensive security tests or as part of a penetration test.

These are the DOM Invader Settings

In order to use Burp Suite as you want, you should check the invader settings. To do this, it is enough to look at the Burp Suite icon. It is located in the upper right corner of the browser and can be opened with one click. Through the settings, you also determine how the suite behaves, which allows you to implement different test scenarios.

  • Auto fire events: Triggering click and mouseover events automatically is also possible with DOM. When the page is loaded, each element is evaluated accordingly. In this way, Burp Suite ensures to execute injected payloads directly automatically.
  • Stacktrace for message filtering: a common problem when testing websites is the large number of triggered messages. They lead to noise, making testing more difficult. Using stacktrace, Burp Suite hides all entries that refer to identical code locations multiple times.
  • Catch Post Messages: Once this option is active, you can test cross-site scripts in the web messaging feature of the site. This works via the Postmessage tab in the DevTools panel. Additionally, there are a few specific settings available through which you can refine the desired behavior.
  • .
  • Inject Canary in all sources: With this setting, you automatically inject Canary into the identified sources on the page. In doing so, the program appends a unique string, allowing you to quickly identify which source flows where. The good thing about this is that it saves you time tracking down vulnerabilities. This option is disabled by default, as it is possible that the page will not load properly otherwise.
  • Prevent redirects: It may happen that your own actions trigger a DOM-based redirect. This redirection to another page may affect their test. The reason for this is deleting the registration cards and updating them with the new source. On the other hand, if "Prevent redirection" is enabled, the DOM-based redirection is prevented. Only redirects to Javascript URLs are preserved - or those initiated by the Canary in URL button.
  • Update Canary: The Canary is based on a random alphanumeric string by default. However, it can be overwritten with any canary. However, you will then need to reload the button in the Chromium browser before the changes take effect.

How DOM Invader Works

Burp Suite's Invader is an effective tool when it comes to detecting DOM XSS. Based on the values it sends, you can check it as if it were a reflected XSS. The way it works is simple but effective:

First, load the page you want to test. Then, the Canary is introduced to a general source or a specific query parameter. Using the DevTools embedded in the Burp Suite browser, you open the "Augmented DOM" tab. You will then see all sinks and sources with the Canary value. The display is based on a tree view for all available sources, so it remains clear and you can use it purposefully. Especially helpful: The jobs within the Burp Suite are arranged in descending order - this means you see the most interesting of the entries first.

When you find a relevant entry, you can view the value, as well as the associated stack trace. It can be useful at this point to store additional characters in the URL parameter or another source of the Canary. In this way, you can quickly and easily determine whether the characters are coded correctly.

The DOM Invader is Clear and Practical to Use

As soon as you change the page in your browser, for example by redirecting, forwarding or similar, the Canary reloads. This means for you: most of the processes are done automatically and you only have to define a few settings in advance to get meaningful results. The practical listing of the findings in list form also makes them nice and clear.

You will already benefit from the overview provided after a short time. This makes Burp Suite an excellent companion towards more security in your Internet applications. By the way, you can use Burp Suite not only in the corporate environment, even though it is particularly important there: it is also ideally suited for your personal single-page web applications.

What is Cross Site Scripting (XSS) and how Does it Work?

Cross site scripting is a type of injection attack, and it is executed client-side. In this process, a malicious script is injected into an otherwise legitimate website and then executed. As soon as the user visits the website with this injected code, the attack begins. As a result, this form of scripting poses a high risk, which Burp Suite is designed to limit.

The good news is that many of the XSS vulnerabilities can be detected with the help of a penetration test. Most of them are found in single-page web applications, where a large part of the business logic is moved to the frontend. This is mostly done in the form of Java scripts, making Scripting Vulnerability one of the most widespread vulnerabilities for web applications. These attack vectors are also increasingly found in API calls, making the vulnerability inherently critical. However, the attack can be executed not only client-side, but also succeeds server-side.

The goal of such an attack is usually to obtain confidential data. It can also cause damage to the system or take over the application completely. This works particularly well because the attack code is located within a supposedly secure context. This makes this method not only popular, but also dangerous.

Incidentally, XSS can be used to fundamentally change Internet pages, allowing the attackers to take control of the browser. Confidential information or passwords that can be read this way are obtained by the cybercriminal without much effort. With Burp Suite, however, these very vulnerabilities can be easily detected.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: